Esa Content Filters PDF

CISCO EMAIL SECURITY APPLIANCE
BEST PRACTICES:
I N C O M I N G & O U T G O I N G C O N T E N T F I LT E R S
September 2015
Version 1.0.1
Dalton Hamilton
Cisco Sales Engineer
THE MOST RECENT VERSION OF THIS DOCUMENT CAN BE FOUND HERE:
https://cisco.com/go/emailsecurity-customer
ESA Incoming and Outgoing Content Filters - Best Practices
THE MOST RECENT VERSION OF THIS DOCUMENT CAN BE FOUND HERE: 1
PURPOSE OF THIS DOCUMENT 3
OVERVIEW OF STEPS 3
STEP 1: IMPORTING THE NEEDED DICTIONARIES 4
STEP 2: CREATING THE CENTRALIZED QUARANTINES 5
STEP 3: CREATING THE INCOMING CONTENT FILTERS 7
STEP 4: CREATING THE OUTGOING CONTENT FILTERS 15
NEXT STEPS AND SUMMARY 18
2
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
PURPOSE OF THIS DOCUMENT
Content Filters allow you to inspect the intricate details of an Email and take Actions (or no
Action) on the Email. Once the Incoming or Outgoing Content Filter is created, you
apply it to a Incoming or Outgoing Mail Policy. When any Email matches the Content
Filter, the ’Content Filters’ Report on the ESA and SMA will be able to show you all email
that matched any Content Filter. Therefore, even if no Action is taken, it is an excellent
way to obtain valuable information about the type of emails entering and leaving your
organization — allowing you to “Pattern” your email flow.
As there are many different Content Filter ‘Conditions’ and ‘Actions’, this document will
step you through some very common and recommended Incoming and Outgoing Content
Filters.
OVERVIEW OF STEPS
Step1: Import the needed dictionaries:

This document will provide the steps necessary for you to implement some Best Practices
Incoming and Outgoing Content Filters. The Content Filters we are going to create will
reference a few dictionaries — so we will need to import those dictionaries first. The ESA
ships with the dictionaries and you merely need to import them into the configuration in
order to reference them in the Content Filters we will create.
Step2: Create the Centralized Quarantines

For most of the Content Filters we will create, we will set the ‘Action’ to Quarantine the
Email (or a copy of the Email) into a specified designated custom (new) Quarantines —
and therefore, we need to first create those Quarantines on the SMA — as this document
assumes you have enabled Centralized PVO (Policy, Virus, and Outbreak) Quarantines
between the ESA and SMA.
Step3: Create the Incoming and Outgoing Content Filters and Apply to Policies
Once we have the dictionaries imported and the Quarantines created, we will create the
Inbound Content Filters and apply them to the Incoming Mail Policies and then create the
Outgoing Content Filters and apply them to the Outgoing Mail Policies.
3
STEP 1: IMPORTING THE NEEDED DICTIONARIES
Importing the Dictionaries that we will be referencing in our Content Filters:
On the ESA appliance, Navigate to: Mail Policies > Dictionaries
Click the “Import Dictionary” button on the right side of the page.
Profanity:
• Select “Import from the configuration directory on your IronPort appliance”
• Select “profanity.txt” and click “Next”.
• Name: Profanity
• Click the “Match whole words” (VERY IMPORTANT)
• Modify the terms (add new terms or remove unwanted terms)
• Click Submit
SexualContent:
• Select “Import from the configuration directory on your IronPort appliance.” Select the
“sexual_content.txt” and click “Next”.
• Name: SexualContent
• Click Submit
Proprietary:
• Select “Import from the configuration directory on your IronPort appliance.” Select the
“proprietary_content.txt” and click “Next”.
• Name: Proprietary
• Click Submit
4
STEP 2: C R E AT I N G T H E C E N T R A L I Z E D Q U A R A N T I N E S
On the SMA, navigate to: Email Tab > Message Quarantine > PVO Quarantines
This is what the Quarantines table should look like before we start. All quarantines are
default.
Click the “Add Policy Quarantine…” button and Create the below Quarantines. Some will be
used by Incoming Content Filters and some will be used by Outgoing Content Filters. You
create them in the same manner.
PVO Quarantines - used by Incoming Content Filters
URL Malicious Inbound: SPF Hard Fail:
Name: URL Malicious Inbound Name: SPF Hard Fail
Retention Period: 14 Days Retention Period: 14 Days
Default Action: Delete Default Action: Delete
Free up space: Enable Free up space: Enable
URL Category Inbound: SPF Soft Fail:
Name: URL Category Inbound Name: SPF Soft Fail
Bank Data Inbound: SpoofMail:
Name: Bank Data Inbound Name: SpoofMail
SSN Inbound: DKIM Hard Fail:
Name: SSN Inbound Name: DKIM Hard Fail
Inappropriate Inbound: Password Protected Inbound:
Name: Inappropriate Inbound Name: Pwd Protected Inbound
5
PVO Quarantines - used by Outgoing Content Filters

Bank Data Outbound: URL Malicious Outbound:
Name: Bank Data Outbound Name: URL Malicious Outbound
SSN Outbound: URL Category Outbound:
Name: SSN Outbound Name: URL Category Outbound
Inappropriate Outbound: Password Protected Outbound:
Name: Inappropriate Outbound Name: Pwd Protected Outbound
Proprietary Outbound:
Name: Proprietary Outbound
Retention Period: 14 Days
Default Action: Delete
Free up space: Enable
Here is how your PVO table should look after creating all of the PVO Quarantines.
6
STEP 3: C R E AT I N G T H E I N C O M I N G C O N T E N T F I LT E R S
Once the Dictionaries have been imported and the PVO Quarantines have been created,
you can now start creating the Incoming Content Filters:
Navigate to: Mail Policies > Incoming Content Filters
Here is a table of Incoming Content Filters you should create. For example purposes, below the
table is a screenshot exemplifying how to create the first one.
Create these Incoming Content Filters:

Create these Incoming Content Filters
Name: Bank_Data
Add Two Conditions:
Message Body or Attachment:
Contains Smart Identifier: ABA Routing Number
Contains Smart Identifier: Credit Card Number
Add One Action:
Quarantine:
Send message to quarantine: “Bank Data Inbound (centralized)”
Duplicate message: Enabled
(Note the Apply Rule should be “If one or more conditions match”)
Name: SSN
Add One Condition:
Contains Smart Identifier: Social Security Number (SSN)
Add One Action:
Quarantine:
Send message to quarantine: “SSN Inbound (centralized)”
Name: Inappropriate
Add Two Conditions:
Contains term in dictionary: Profanity
Contains term in dictionary: Sexual_Content
Add One Action:
Quarantine:
Send message to quarantine: “Inappropriate Inbound (centralized)”
7
Name: URL_Category
Add One Condition:
URL Category:
Select Categories:
Adult, Dating, Filter Avoidance, Freeware and Shareware, Gambling,
Games, Hacking, Lingerie and Swimsuits, Non-sexual Nudity,
Parked Domains, Peer File Transfer, Pornography
Add One Action:
Quarantine:
Send message to quarantine: “URL Category Inbound (centralized)”
*** Note: This Content Filter requires that you enable “Security Services”—> “URL Filtering”
Name: URL_Malicious
Add One Condition:
URL Reputation:
URL Reputation is: Malicious (-10.0 to -6.0)
Add One Action:
Quarantine:
Send message to quarantine: “URL Malicious Inbound (centralized)”
Duplicate message: Disabled (**** Quarantine the original ****)
Name: Password_Protected
Add One Condition:
Attachment Protection: One or more attachments are protected
Add One Action:
Quarantine:
Send message to quarantine: “Pwd Protected Inbound (centralized)”
Name: Size_10M
Add One Condition:
Message Size is:
Greater than or equal to: 10M
Add One Action:
Add Message Tag:
Enter a Term: NOOP
(Note: There must be some action so here we “Tag” the message to represent no operation taken.
The fact that the content filter was “Matched” will allow it to show up in reporting. No ‘Action”
need be taken for it to show in Reporting.)
8
Name: SPF_Hard_Fail
Add One Condition:
SPF Verification: “is” Fail
Add One Action:
Quarantine:
Send message to quarantine: “SPF Hard Fail (centralized)”
(Note: “is Fail” is a Hard SPF failure and it means the owner of the domain is telling you to drop
all emails received from senders that are not listed in their SPF record. Initially, it is a good idea
to use “Duplicate message” and review the failures for a week or two before quarantining the
original (i.e. turning off duplicate message).
Name: SPF_Soft_Fail
Add One Condition:
SPF Verification: “is” Softfail
Add One Action:
Quarantine:
Send message to quarantine: “SPF Soft Fail (centralized)”
Name: DKIM_Hardfail_Copy
Add One Condition:
DKIM Authentication: “is” Hardfail
Add Two Actions:
Add/Edit Header:
Header Name: Subject
Click “Prepend to the Value of Existing Header” and enter: [Copy - Do Not Release]”
Quarantine:
Send message to quarantine: “DKIM Hard Fail (centralized)”
(Note: Quarantine a copy of the message initially.)
Name: DKIM_Hardfail_Original
Add One Condition:
DKIM Authentication: “is” Hardfail
Add One Action:
Quarantine:
Send message to quarantine: “DKIM Hard Fail (centralized)”
Duplicate message: Disabled
(Note: We will be creating another Incoming Mail Policy row for PayPal and Ebay domains and
will use this Content Filter for domains that we know should pass DKIM Verification.)
9
Name: Spoof_SPF_Failures
Add One Condition but it has BOTH Softfail and Hardfail checked:
SPF Verification: “is” Softfail and also click on “Fail”
(so you have two checkboxes clicked “Softfail” and “Fail”
Add One Action:
Quarantine:
Send message to quarantine: “SpoofMail (centralized)”
Duplicate message: Enable
(Note: We will use this Content Filter to take action for incoming email pretending to send from
your own domain — spoofing. Start with the action set to quarantine a copy and after a couple of
weeks of reviewing the SpoofMail quarantine, you can modify your SPF TXT DNS record to add
all legitimate senders and at some point you can change this content filter to quarantine the
original by disabling the duplicate message checkbox.)
As an example, this is what the Bank_Data Content Filter should look like before you
Submit:
After creating all of the Incoming Content Filters, the table should now look like this:
Because the “Policies” function is selected (you’ll see the Polices hypertext at the top
middle) the middle column shows the Incoming Mail Policies the Content Filter has been
applied to. Because we have not applied them to any Incoming Mail Policy, the “Not in use”
is displayed.
Apply the Incoming Content Filters to the Incoming Mail Policies:
Navigate to: Mail Policies > Incoming Mail Policies
10
Click on the “Disabled” text in the Content Filters cell for the Default Policy.
The pull-down menu button is set to “Disable Content Filters”. Click the button and set to
“Enable Content Filters” and you will immediately be presented with all Incoming Content
Filters that have been created. Enable all filters except the DKIM_Hardfail_Original, and
Spoof_SPF_Failures.
Submit and Commit
11
DKIM Verification for Ebay & Paypal and Spoof Email Protection for your domain
Those two topics will involve Content Filters that utilize DKIM Verification and SPF
Verification. Therefore, we must first ensure both DKIM and SPF Verification are enabled.
Step 1: Enable DKIM and SPF Verification within Mail Flow Policies
Navigate to: Mail Policies —> Mail Flow Policies
Enable DKIM and SPF Verification within all Mail Flow Policies that have “Connection
Behavior” of “Accept”.
Click on the bottom hypertext “Default Policy Parameters” and set “DKIM Verification” to “On”
and “SFP/SIDF Verification” to “On”.
Click Submit.
You now see the Mail Flow Policies table.
Look at the column named “Behavior” and edit any Mail Flow Policy with the Behavior set to
“Relay” to turn “Off” both DKIM and SPF Verification for those Mail Flow Policies. We do
not want the ESA to perform DKIM or SPF verification for email received into the ESA
from your Exchange Mail Server heading outbound. In most configurations the “RELAYED”
Mail Flow Policy is the only row with the Behavior of Relay.
Step 2: Create a new Incoming Mail Flow Policy for Ebay and Paypal
Inbound Email received from Ebay and Paypal should always pass DKIM verification. We
will therefore create another Incoming Mail Policy to use the DKIM_Hardfail_Original
Incoming Content Filter for email from those domains.
Click the Add Policy button.
Enter the Name: DKIM Hardfail Original
Click “Add User…” button.
The next configuration panel lets you define what messages will match this new Incoming
Mail Policy. We only want to define criteria for the Sender (the left portion of the
configuration panel).
Click “Following Senders” radio button and in the Email Addresses table enter “@ebay.com,
@paypal.com”
12
Click the “Ok” button at the bottom.
Click Submit.
You are presented with the Incoming Mail Policies table again but now you have a new
Mail Policy row above the Default Policy.
Click the (use default) hypertext in the Content Filters cell for the new row.
Flip the pulldown menu to “Enable Content Filters (Customized Settings)”.
Uncheck the “DKIM_Hardfail_Copy” and Check the “DKIM_Hardfail_Original”.
Click Submit and Commit changes.
Step 3: Create a new Incoming Mail Flow Policy for Your Domain (Spoof Protection)
The steps in this section will allow you take action on Incoming email that has a From
email address of your own domain and that are failing SPF verification. Of course this
relies on you having already published your SPF Text Record in DNS. Skip these steps if
you have not created/published a SPF Text Resource record for your domain.
Click the Add Policy button.
Enter the Name: Spoof_Protection
Click “Add User…” button.
13
The next configuration panel lets you define what messages will match this new Incoming
Mail Policy row. You only want to define criteria for the Sender (which is the left portion
of the configuration panel).
Click “Following Senders” radio button and then enter your domain in the “Email Address:”
text box. For me, my domain is “@unc-hamiltons.com”
Click Submit.
You are presented with the Incoming Mail Policies table again but now you have a second new
Mail Policy row above the Default Policy.
Click the (use default) hypertext in the Content Filters cell for the new row.
Flip the pulldown menu to “Enable Content Filters (Customized Settings)”.
Check the “Spoof_SPF_Failures” also ensure both DKIM_Hardfail_Copy and

DKIM_Hardfail_Original are not checked.
Click Submit and Commit changes.
The Incoming Mail Policies table should now look like this:
14
STEP 4: C R E AT I N G T H E O U T G O I N G C O N T E N T F I LT E R S
Navigate to: Mail Policies > Outgoing Content Filters
Here is a table of Outgoing Content Filters you should create.
Create these Outgoing Content Filters:

Create these Outgoing Content Filters
Name: Bank_Data
Add Two Conditions:
Contains Smart Identifier: ABA Routing Number
Contains Smart Identifier: Credit Card Number
Add One Action:
Quarantine:
Send message to quarantine: “Bank Data Outbound (centralized)”
(Note the Apply Rule should be “If one or more conditions match”)
Name: SSN
Add One Condition:
Contains Smart Identifier: Social Security Number (SSN)
Add One Action:
Quarantine:
Send message to quarantine: “SSN Outbound (centralized)”
Name: Inappropriate
Add Two Conditions:
Contains term in dictionary: Profanity
Contains term in dictionary: Sexual_Content
Add One Action:
Quarantine:
Send message to quarantine: “Inappropriate Outbound (centralized)”
15
Name: URL_Category
Add One Condition:
URL Category:
Select Categories:
Adult, Dating, Filter Avoidance, Freeware and Shareware, Gambling,
Games, Hacking, Lingerie and Swimsuits, Non-sexual Nudity,
Parked Domains, Peer File Transfer, Pornography
Add One Action:
Quarantine:
Send message to quarantine: “URL Category Outbound (centralized)”
Name: URL_Malicious
Add One Condition:
URL Reputation:
URL Reputation is: Malicious (-10.0 to -6.0)
Add One Action:
Quarantine:
Send message to quarantine: “URL Malicious Outbound (centralized)”
Duplicate message: Disabled (**** Quarantine the Original ****)
Name: Password_Protected
Add One Condition:
Attachment Protection: One or more attachments are protected
Add One Action:
Quarantine:
Send message to quarantine: “Pwd Protected Outbound (centralized)”
Name: Size_10M
Add One Condition:
Message Size is:
Greater than or equal to: 10M
Add One Action:
Add Message Tag:
Enter a Term: NOOP
(Note: There must be some action so here we “Tag” the message to represent no
operation taken. The fact that the content filter was “Matched” will allow it to show up
in reporting. No ‘Action” need be taken for it to show in Reporting.)
16
Name: Proprietary
Add One Condition:
Contains term in dictionary: Proprietary
Add One Action:
Quarantine:
Send message to quarantine: “Proprietary (centralized)”
Because the “Policies” function is selected (you’ll see the Polices hypertext at the top middle)
the middle column shows the Outgoing Mail Policies the Content Filter has been applied to.
Because we have not applied them to any Outgoing Mail Policy, the “Not in use” is displayed.
Navigate to: Mail Policies > Outgoing Mail Policies
Click on the “Disabled” text in the Content Filters cell for the Default Policy.
The pull-down menu button is set to “Disable Content Filters”. Click the button and set to
Enable Content Filters and you will immediately be presented with all Outgoing Content
Filters that have been created. Enable all filters.
Submit and Commit
17
NEXT STEPS AND SUMMARY
You have now implemented initial Best Practices for Incoming and Outgoing Content
Filters. Most (not all) Content Filters used the Quarantine Action and elected to check
(Enable) “Duplicate message” option — which merely places a copy of the Original Email
and did not prevent the email from being delivered. The intent of these Content Filters is to
allow you to gather information about the types of emails flowing Inbound and Outbound
to your company.
Having said that, after running the Content Filters report and looking over the email copies
saved in the quarantines, it may be prudent to un-check the “Duplicate message” checkbox
option and thereby start placing the original email into the quarantine instead of a copy/
duplicate.
18

Esa Content Filters PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Esa Content Filters PDF

Uploaded by

Copyright:

Available Formats

CISCO EMAIL SECURITY APPLIANCE

THE MOST RECENT VERSION OF THIS DOCUMENT CAN BE FOUND HERE:

PURPOSE OF THIS DOCUMENT 3

OVERVIEW OF STEPS 3

STEP 1: IMPORTING THE NEEDED DICTIONARIES 4

STEP 2: CREATING THE CENTRALIZED QUARANTINES 5

STEP 3: CREATING THE INCOMING CONTENT FILTERS 7

STEP 4: CREATING THE OUTGOING CONTENT FILTERS 15

NEXT STEPS AND SUMMARY 18

PURPOSE OF THIS DOCUMENT

Step1: Import the needed dictionaries:

Step2: Create the Centralized Quarantines

STEP 1: IMPORTING THE NEEDED DICTIONARIES

Importing the Dictionaries that we will be referencing in our Content Filters:

On the ESA appliance, Navigate to: Mail Policies > Dictionaries

PVO Quarantines - used by Outgoing Content Filters

Navigate to: Mail Policies > Incoming Content Filters

Create these Incoming Content Filters:

Create these Incoming Content Filters

Create these Incoming Content Filters

(Note: Quarantine a copy of the message initially.)

Create these Incoming Content Filters

Apply the Incoming Content Filters to the Incoming Mail Policies:

Navigate to: Mail Policies > Incoming Mail Policies

Submit and Commit

You now see the Mail Flow Policies table.

Navigate to: Mail Policies > Incoming Mail Policies

Click the Add Policy button.

Enter the Name: DKIM Hardfail Original

Click “Add User…” button.

Click the “Ok” button at the bottom.

Flip the pulldown menu to “Enable Content Filters (Customized Settings)”.

Uncheck the “DKIM_Hardfail_Copy” and Check the “DKIM_Hardfail_Original”.

Click Submit and Commit changes.

Navigate to: Mail Policies > Incoming Mail Policies

Click the Add Policy button.

Enter the Name: Spoof_Protection

Click “Add User…” button.

Flip the pulldown menu to “Enable Content Filters (Customized Settings)”.

Check the “Spoof_SPF_Failures” also ensure both DKIM_Hardfail_Copy and

Click Submit and Commit changes.

Navigate to: Mail Policies > Outgoing Content Filters

Here is a table of Outgoing Content Filters you should create.

Create these Outgoing Content Filters:

Create these Outgoing Content Filters

Create these Outgoing Content Filters

Navigate to: Mail Policies > Outgoing Mail Policies

Submit and Commit

NEXT STEPS AND SUMMARY

You might also like